[failed_ideas]

This is great, but if you use a password manager, it's very difficult to determine which, if any, of your accounts would be compromised. For myself, this would just be doing a dump and looping a few greps. But for family and friends, does anyone have any ideas for a less technical audience?

[jpatokal]

If you're using a password manager and thus -- I hope -- using a different password for every service, it doesn't really matter if one service gets compromised. The compromised service in question will (hopefully) force password resets for all affected users, and the compromised password is useless elsewhere.

[saraid216]

Instead of responding to breaches, I would recommend an annual (more frequent is better, obviously, but I think annual is fine) cycle of rotating passwords. Just pick a day and spend it replacing passwords. As a side effect, you get a mental update on exactly what identities you're managing and whether or not you want to modify or close them.

This should be fairly straightforward even for non-technical people, if they've got a grasp on actually using the password manager itself. The hard part is (1) getting the list of identities, which isn't too hard if you're hand-holding, and (2) actually remembering to do it. (Which is why annual is nice. You can peg it to a holiday you already celebrate, or substitute it for one you don't. Halloween, for instance, because breaches are scary? Or something.)

Bonus: if a breach happens that actually feels scary, just do the rotation ritual ahead of time. Not that big of a deal.

[querulous]

1password has a limited ability to warn you of compromised passwords. they maintain a database of breaches that they warn you about in their client. the warning, however, is much less prominent than it probably should be